Planet Money - How to launder $600 million on the internet

Episode Date: September 16, 2023

Erin Plante is a private detective who specializes in chasing down stolen cryptocurrency. In March of 2022, she got the biggest assignment of her career: Hackers had broken into an online game called ...Axie Infinity and made off with over $600 million worth of digital money.It was the largest crypto heist in history. And now it was Erin's job to find that money and get it back. Erin's investigation would lead her to face off against some of the world's most formidable digital money launderers, whose actions would soon raise alarms at the highest levels of government — even threaten the nuclear security of the entire planet.This episode was hosted by Jeff Guo and Keith Romer, produced by James Sneed, edited by Jess Jiang, fact-checked by Willa Rubin & Sam Yellowhorse Kesler, and engineered by Maggie Luthar. Alex Goldmark is our executive producer.Help support Planet Money and get bonus episodes by subscribing to Planet Money+ in Apple Podcasts or at plus.npr.org/planetmoney.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy

Transcript
Discussion (0)
Starting point is 00:00:00 This is Planet Money from NPR. One of the biggest things in the world of crypto a couple years ago was this game called Axie Infinity. You can think of it as like blockchain Pokemon. You buy these tiny little digital pet blobs with tiny little legs and you fight them against other people's tiny pet blobs. Except every pet is also an NFT, basically this digital beanie baby. And some of them were selling for thousands of dollars. People have made this game their full-time job. You can even trade your Axies for cryptocurrency on our marketplace.
Starting point is 00:00:41 A lot of Axies fans seemed convinced that the game was proof that crypto could be used to create an entire economic ecosystem. The company behind Axie Infinity grew into a multi-billion dollar business. Then, in March of 2022, this candy-colored paradise full of happy-go-lucky but also weirdly lucrative digital pets was the scene of a shocking crime. A heist. They were heisted. It was a heist. And that is where our story begins. In the middle of the night, Erin Plant gets a phone call.
Starting point is 00:01:15 It was about four o'clock in the morning. And you know when your phone is set to do not disturb, but when someone calls you repeatedly in such short increments of time, it will actually ring through. That's what's happened. Erin is essentially a private detective who specializes in hunting down stolen cryptocurrency. And that frantic caller was her boss. Erin was about to get the biggest assignment of her life. I think the first words out of his mouth were Axie Infinity lost $600 million. $600 million worth of crypto plucked out of one of the company's digital wallets.
Starting point is 00:01:53 What was your reaction? My reaction is just horrified. I mean, it was jaw dropping. That's a huge amount of money, an absolutely astounding amount of money. It was, in fact, the largest crypto heist in history. And now it was Aaron's job to track down where it all went. Hello and welcome to Planet Money. I'm Jeff Guo. And I'm Keith Romer. That 4 a.m. phone call would launch an 18-month-long investigation and lead Aaron to face off against some of the world's most sophisticated digital money launchers. Today on the show, the biggest crypto heist of all time,
Starting point is 00:02:31 a case that would eventually pull in the FBI, raise alarms at the highest levels of government, and threaten the nuclear security of the entire planet. A lot of times when there's a high profile crypto crime, Erin and her team get called in. Erin is the vice president of investigations at a startup called Chainalysis, and she's often working side by side with law enforcement. You have a security clearance. I do. How often in your regular life do you have to use the phrase, it's classified? I've never had to use that phrase before. I actually don't think most people in my regular life have any idea what I do. Because by the time they find out, they've disappeared. Yes, yeah. Yes, exactly. When Erin first started out 20 years ago, she was helping governments investigate bribery and corruption and tracking down where all those bribes were going.
Starting point is 00:03:38 And Erin loved this methodical kind of work. I'm very much a math, science, black, white, kind of work. I'm very much a math, science, black, white, nothing colorful in between kind of person. Back in the early 2000s, it was kind of the dawn of digital evidence. Erin would have to literally sneak into server rooms, physically plug in hard drives and copy over the incriminating data. We would often go into a company building and our story was that we were there to do a software upgrade. Literally undercover. This was your cover story. You're an IT person. Yes, we were an IT person. So we would go in with a cover story that we were there to do a software upgrade or do something IT related and it had to be done overnight. or do something IT-related, and it had to be done overnight.
Starting point is 00:04:26 So we would arrive in the evening. We would work all night copying people's emails. In secret? In secret. Those emails would sometimes hold clues to illicit payments, and they would help Aaron trace those payments through the financial system, through credit cards and wire transfers and banks. It was all this very slow process with all of these dead ends. But by the time the Axie heist happened last year, a lot had changed in Aaron's world.
Starting point is 00:04:51 Instead of using the traditional financial system, these days more and more criminals are using cryptocurrency, laundering money through Bitcoin or Ethereum or whatever. And in some ways, crypto might sound like an investigator's dream because every transaction gets recorded on the blockchain. And for most of the big cryptocurrencies, that blockchain is visible to the entire world. So it is real time. It is available for anyone to look at. And you can follow the money in a similar manner that you follow it in traditional financial crime investigations, but you're able to do it much faster. But in the world of crypto, the criminals can also move much faster.
Starting point is 00:05:37 And in all of these really sophisticated ways. Now, when Aaron was hired by Axie Infinity to investigate this heist, step one was to start at the scene of the crime. And you know how in murder mysteries, they have that wall where they tape photos of suspects and evidence, and there's this little red string connecting everything. They love a murder board. You gotta love a murder board. Exactly. Aaron has a version of that for the blockchain. We're in her office, and she pulls it up on her computer. And she can show us exactly what happened in the immediate aftermath of the Axie heist.
Starting point is 00:06:11 So this yellow circle here is Axie Infinity's wallet. This is their wallet that they control. And this yellow circle here is the wallet that the money moved to. And then you see from this hacker wallet that held all of the stolen funds, you see this sort of spray of lines coming out of it. In those first few hours after the heist, the hackers are already moving that stolen crypto. They're changing wallets. They're splitting money into different wallets. They're swapping it for other kinds of cryptocurrencies. It's like following a getaway car that is making exits off of off ramps
Starting point is 00:06:58 and going through tunnels and going onto different roads and merging onto other roads to try to lose the path of the car that's behind them chasing. In this case, it sounds like you guys are in a helicopter and you can just see them. That's a good analogy. I think we are in a helicopter and we can see them, and we're watching them at all times. Erin doesn't know who these hackers are, but one thing she notices is they are good. They are methodical.
Starting point is 00:07:27 They are breaking this money into regular amounts, moving it around in systematic ways, and then they kick it up a notch. So it's now an hour or two in, and we are looking at the money that came out of the Axie Infinity treasury, and it starts to hit a mixer called Tornado Cash. And so that immediately sets off alarm bells. Tornado Cash is this notorious cryptocurrency mixer. Mixers are these digital services that take in money from different places and kind of scramble it all together. For the errands of the world, they are a giant headache. Here's how they work.
Starting point is 00:08:07 Let's say I have 10 bitcoins and I bring it to a mixer. A mixer is collecting my bitcoins. It's collecting bitcoins from other people. And it uses these fancy algorithms. One of them is called CoinJoin to pool all of our bitcoins together and then randomly deposit our money into new, clean digital wallets. Now, mixers can be used for legitimate reasons, for privacy, to keep your crypto transactions
Starting point is 00:08:35 anonymous. But they are also essentially the ultimate money laundering tool. So when money hits a mixer, it'd be like if the getaway car went into a building. Like a giant garage. Exactly. It goes into a giant garage and 15 cars come out the other side. And those cars are all identical. I think this is a plot element in Ocean's Eleven.
Starting point is 00:08:59 I think it is. It absolutely is. And if it's not, they should build it into the next one. And so what happens there is you don't know which one to continue chasing. You saw one car go in, and you saw multiple come out. All right. Hold up. Hold up, Jeff. You know that I'm not going to allow your erasure of the Fast and Furious franchise to go unremarked.
Starting point is 00:09:24 It's from Too Fast, Too Furious, not from Ocean's Eleven. Okay, go on with the show. Okay, okay. Regardless of which fictional movie this came from, in the real world, in the real Axie Infinity heist, these hackers, they weren't just using one mixer. They were using multiple mixers, one after another after another. They were using multiple mixers, one after another after another. And all this scrambling can make it really difficult, almost impossible for investigators to follow the trail.
Starting point is 00:09:54 Except Erin lets us in on what is kind of a secret. She says she and her team at Chainalysis have started to develop ways to essentially reverse the mixing process, to actually trace the money through a mixer and out the other side to see which is the right car for them to be following. Do the criminals know you can do this? They are starting to figure it out. So one year ago, I would have said no. And at that point, Chainalysis didn't even talk about demixing. We didn't want criminals to know that demixing, as we call it, was even possible.
Starting point is 00:10:29 Wait, so people thought this was actually impossible to figure out which of the getaway cars were the right ones? Yes. Yes, exactly. Erin was pretty cagey about how their demixing technology actually works. When I pressed her for details, she told me it was proprietary, and she didn't want to give away too many clues to the criminals. It sounds like what you're doing is you're taking advantage of, like, vulnerabilities in how these mixers operate. Erin starts looking at the public relations guy sitting in the corner.
Starting point is 00:11:06 I probably can't say that. Okay, it's classified. It's classified. We get it. We get it. It's classified. Yeah. Erin was not going to tell me how they did the demixing. But I talked to some computer security experts and they told me, in theory, maybe here's how you could do it. Like, you might make a database of all the digital wallets associated with a mixer. You might monitor the entrances, the exits, maybe look for patterns and how money flows in and how money flows out. Still, even with whatever fancy demixing strategies Aaron's team is using, they are not able to keep track of all the money
Starting point is 00:11:45 as it bounces around from one mixer to another mixer. Some of the cars still end up getting away. What fraction of the money would you estimate was lost to the mixing process? Probably about 10% was lost to the mixing. Yeah. It's like $60 million. That's a lot of money.
Starting point is 00:12:04 Yeah, exactly. The stakes are high when you're's like $60 million. That's a lot of money. Yeah, exactly. The stakes are high when you're dealing with $600 million. Now, while Erin is trying to track where all that money is going, she's also trying to figure out who is behind the heist and where the money will ultimately end up. And this is where she starts to get this bad feeling. The way the thieves are moving the stolen crypto, it's clear that this is not some random teenage hacker who just got lucky. This is a tightly choreographed operation. The hackers are moving the crypto into the mixers at these precisely timed intervals. They're routing it through multiple mixers, including the notorious Tornado Cash. And Erin, she had seen these tactics before.
Starting point is 00:12:47 This was the MO of one of the most formidable crypto hacking operations in the world. Once we see the money start moving to Tornado Cash in this way, this very structured, very systematic way, we say, oh, this starts to look like North Korea. And if the North Koreans were the ones behind this hack, this was no longer just about getting the money back for some online game. This had become a problem of national security. Last year, the FBI created a special team devoted to crimes involving cryptocurrency.
Starting point is 00:13:36 So my name is Chris Wong. I'm a supervisor at the virtual assets unit within the FBI. As you might imagine, there's kind of this weird culture clash between the very buttoned up culture of the FBI and the very not buttoned up world of crypto. And this clash is neatly captured by the virtual asset unit's choice of mascot. Oh, of course there's a mascot. We have an alpaca for sure. Really? No. Are you kidding? Yeah. I think it's J. Edgar Hodler. No, no. No, I'm dead serious. Yeah. It's J. Edgar Hodler.
Starting point is 00:14:02 You know, like, Hodler, if you know crypto. Yeah, it's J. Edgar Hodler, you know, like Holder, if you know crypto. So this is like a mashup of J. Edgar Hoover, who is the infamous first director of the FBI, and HODL, H-O-D-L. It's like this crypto inside joke. It stands for hold on for dear life, like never, ever sell your crypto. Now, clever mascot aside, Chris is still very much an FBI agent. So while we know that the FBI worked on the Axie Infinity case, and we know that Chris is one of the crypto experts inside the FBI, good luck getting Chris to actually talk about the case. Have you worked on this investigation? So we're not in the practice of talking about who, which agent is necessarily involved in any particular case. You're not allowed to talk about it. That's not really what I said.
Starting point is 00:14:52 Okay. So, interesting. Chris was, however, willing to talk about North Korea's involvement in this kind of thing. Chris is actually an expert in stopping the flow of illegal funds to North Korea. He says North Korea has been frozen out of the U.S. financial system since long before crypto, going back to like the 1950s. For decades, North Korea has been one of the most sanctioned countries in the world. Part of our job is to essentially enforce those rules. Over the years, North Korea has found all these creative ways to work around these rules, like using front companies to secretly sell their coal and buy gas. But six or seven years ago, Chris noticed the North Koreans were increasingly turning their
Starting point is 00:15:35 attention to crypto. I would say like the North Koreans, I call them crypto curious. They do everything. They try everything. Crypto curious. Yeah. Well, you know, the whole promise of crypto is we're going to disrupt the traditional financial system. And I'm sure from a North Korean perspective, it was like, well, the traditional financial systems kind of has all these roadblocks. So this sounds great. Let's disrupt it. Yeah. Right. I mean, if you think about, you call them roadblocks, but we call them anti-money laundering controls. You know? Rules. It's like rules in place for a good reason.
Starting point is 00:16:10 Like, dang, you have to provide an ID to open a bank account? These kinds of roadblocks, these whatever rules, by and large, did not exist in the world of crypto back then. The North Koreans could set up accounts and transfer money, no questions asked. And their state-sponsored hackers have turned into some of the world's most sophisticated digital money launderers. Last year, they stole a record-breaking amount of crypto. Some estimates put it north of a billion dollars. So we're talking significant amounts of funds. And, you know, the issue, it's not that, you know, North Korea is stealing these assets and doing good with them. Like they're diverting large amounts of currency into funding weapons production and weapons delivery systems. Nukes.
Starting point is 00:16:53 And yeah, exactly. The Biden administration recently estimated that half of the North Korean nuclear program is being funded by stolen crypto. And 2022 was record-breaking, not just for North Korea's crypto hackers, but also for its nuclear program is being funded by stolen crypto. And 2022 was record-breaking, not just for North Korea's crypto hackers, but also for its nuclear program. Before 2022, North Korea had been doing maybe 10 or 20 cruise and ballistic missile tests a year. Last year, by some estimates, they fired off 90. So the U.S. government is now taking North Korea's crypto operation a lot more seriously. The Axie Infinity hack, it was really the turning point. Because of that hack, for the first time ever, the U.S. government put sanctions on crypto mixers.
Starting point is 00:17:36 They went after two of North Korea's favorite mixers, including the notorious Tornado Cash. They even recently arrested one of Tornado Cash's founders. notorious TornadoCash. They even recently arrested one of TornadoCash's founders. Shutting down the mixers was one way to make life harder for the Axie hackers, to slow them down. But Chris says the larger goal is not just to slow them down. The goal is to stop the North Koreans from turning their stolen crypto into actual cash. Well, North Korea needs crypto to buy stuff, but you can't buy ballistic missiles with Bitcoin. You can't? Yeah. Well, I mean, maybe you can. I've never tried. But like ultimately, you need to convert this crypto to fiat currency or cash, like government backed cash, like dollars or rubles or something.
Starting point is 00:18:18 And there are just not that many places where you can offload hundreds of millions of dollars worth of crypto. At the time, one of the big ways for the North Koreans to cash out was to send their crypto to a third party, to a place called a centralized exchange. These are kind of like the banks of the crypto world. And for the FBI, they represent one of the few opportunities they have to actually get some of the stolen money back. Generally speaking, those are the prime places where we're able to have some sort of impact. Like places that have a real phone number and existence. Sure, but your mileage is going to vary with a lot of exchanges. Some crypto exchanges still see themselves as disruptors of the traditional financial system.
Starting point is 00:19:04 They seem to really not care all that much who is using their services. They don't ask their customers too many questions. But some crypto exchanges are more willing to cooperate. When the FBI sees stolen money moving to one of those exchanges, they can reach out. They can say, hey, freeze that account. It's the North Koreans. And the exchanges will actually do it. Now, the FBI, they are not doing all of this alone. Remember, Erin and her team of investigators from Chainalysis, they are also simultaneously digging around in the Axie Infinity case. They've been hard at work following the money up and down the blockchain through all
Starting point is 00:19:41 these different mixers. And they think they know where like 90% of the stolen crypto is. Their strategy is to exploit the vulnerability that Chris mentioned. So Erin and her team are waiting for the North Koreans to try and cash out the stolen crypto at one of these centralized exchanges. That is when she and her team will have a brief window of time to catch the money before it slips away again. So we've done a lot of timing analysis on how long you actually have to freeze money. And it's somewhere in the window of 20 minutes to one hour at the most. What?
Starting point is 00:20:17 Yeah. Were you literally having people just like 24-hour shifts watching where this money was going? That's exactly what we were doing. Somebody is watching at all times, 24-7. It's like a crypto stakeout. Yeah. Aaron says they're just logged onto their computers. They're waiting for an alert to go off that says the money's on the move. And Aaron remembers the first time all of that watching and waiting paid off. I was actually on an airplane and I was connected to the airplane Wi-Fi.
Starting point is 00:20:45 And it was like 10 p.m. And one of my investigators said, money just moved to this address. And that address we knew belonged to a service that we had relationships with. That's when the timer started. Erin and her team knew they only had 20 minutes, maybe an hour, before the money would slip away and possibly disappear forever. So they reached out to the crypto exchange, convinced them to put a temporary hold on the accounts. Erin says her team then contacted the FBI. And with the FBI's help, the U.S. government issued a warrant to freeze almost $6 million worth of crypto.
Starting point is 00:21:22 And it was exciting because it was also the first time we had seen North Korean money be frozen in a very long time. Really? Yeah. That was their routine for months. Alerts would come in, they would race to contact more exchanges, get more warrants, try to freeze more money. You feel the pressure to get the message out to whoever needs to
Starting point is 00:21:44 as quickly as possible, and then you're just like hoping that they're going to respond. At first, a lot of the exchanges would not respond. But Erin says over the last year, the conversations with the exchanges have actually gotten a lot easier. You could reach out to pretty much any service that you had somebody to reach out to and say, this is Axie money. And they knew exactly what you were talking about. You didn't have to explain. Through this process, week by week, they were able to freeze more of that stolen money. A few million here, a few million there. Money they were keeping out of the hands of the North Koreans. And also, Aaron says, since the heist, the value of the stolen crypto, it's also fallen by like half. But still, we're talking hundreds of millions of dollars.
Starting point is 00:22:28 And the truth is, for all their hard work, Erin and her team know that the vast majority of all that stolen money, they are never going to be able to get that back. If you look at the numbers, I think at the end of this whole investigation, about 20 percent of the money will be recovered. At the end of this whole investigation, about 20% of the money will be recovered. The other 80% either got to the North Koreans or is still sitting out there somewhere on the blockchain. I mean, it happens all the time, unfortunately, and it's not, you know, the fault or wrongdoing of anyone. It's the nature of how quickly money can flow through in this digital ecosystem. money can flow through in this digital ecosystem. In the end, the Axie Infinity heist was this kind of watershed moment for the world of crypto. For one thing, it caused the U.S. government to take these unprecedented steps to try to slow down crypto money laundering. And it even got some folks in the crypto world to start recognizing some of the dangers of crypto.
Starting point is 00:23:33 A lot of the centralized exchanges, they're beginning to ask their customers more questions, requiring ID, doing a little more due diligence. For Erin, the Axie case was kind of the high point of her career so far, partly because it was the biggest investigation, but partly because she finally got to share what she and her team had pulled off. She's usually not allowed to talk about her work. There are usually cases that are classified or completely confidential, and we're never able to talk about them. But within our team, we give a lot of, you know, digital, private, classified high fives. Classified high five. That's all you get. High fives. That's what we'll call it. But in this case, her clients, the Axie Infinity team,
Starting point is 00:24:13 they were happy to let her talk about the case. In fact, they invited her to speak at their conference last year, which sounded like this big party. They called it AxieCon. It started at a pool party where there were all these like neon colored drinks and we were on a rooftop in Barcelona drinking our neon drinks, feeling really cool. I've never really been part of like a cool crowd. I'm usually more classified with like the nerds and the computer geeks. At the conference, one of the founders brought her up onto this big stage
Starting point is 00:24:50 so that she could give an update on the stolen money to all the Axie fans and game players who had come. Afterwards, when I did walk off stage, there were hundreds of people that came up and they were hugging me and thanking me. And I mean, it was emotional. I was really excited for everyone. After spending all that time on the blockchain, giving digital, private, classified high fives,
Starting point is 00:25:15 getting to celebrate out in real life, in the real world, that was nice. We took a lot of selfies of them throwing up the, they call it the Axie. I still can't do it properly, but they all, they have a hand signal. It's an Axie. In all the photos I saw that got posted, I'm doing it incorrectly and everyone else is doing it correctly. Again, I'm a nerd. Have you been robbed of $600 million worth of crypto? Send us an email.
Starting point is 00:25:48 We are at planetmoney at npr.org. You can also find us on Instagram or Facebook. We are at Planet Money. James Sneed produced this episode. It was engineered by Maggie Luthar, fact-checked by Willow Rubin and Sam Yellow Horse Kessler, and Jess Jang edited it. Alex Goldmark is our executive producer.
Starting point is 00:26:06 Special thanks today to Tiffany Bao, Adam Dupay, Julia Hardy, Trenton Kennedy, and Caroline Bresler. I'm Keith Romer. And I'm Jeff Guo. This is NPR. Thanks for listening. And a special thanks to our funder, the Alfred P. Sloan Foundation, for helping to support this podcast.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.